1. 首页
  2. 问答
  3. 如何授予MySQL服务器管理权限(SUPER,RELOAD ...)与否?

如何授予MySQL服务器管理权限(SUPER,RELOAD ...)与否?

2014-04-09 66 views
8

有没有办法如何使用Ansible mysql_user模块(或使用任何其他模块)授予MySQL管理权限?我想为用户设置SUPERRELOADSHOW DATABASES特权以及其他一些特定于数据库的特权。如何授予MySQL服务器管理权限(SUPER,RELOAD ...)与否?

基本设置很适合我:

- name: Set user privileges 
    mysql_user: 
    user={{ mysql_user }} 
    password={{ mysql_password }} 
    state=present 
    priv={{ item }} 
    with_items: 
    - 'somedatabase.*:ALL' 
    - 'someotherdatabase.*:ALL'

...结果:

TASK: [db | Set user privileges] 
********************************************** 
ok: [dbuser] => (item=somedatabase.*:ALL) 
ok: [dbuser] => (item=someotherdatabase.*:ALL)

以下设置口口声声说 “改变” 和特权都没有什么人们会预期:

- name: Set user privileges 
    mysql_user: 
    user={{ mysql_user }} 
    password={{ mysql_password }} 
    state=present 
    priv={{ item }} 
    with_items: 
    - '*.*:SUPER,RELOAD,SHOW\ DATABASES' 
    - 'somedatabase.*:ALL' 
    - 'someotherdatabase.*:ALL'

(重复)运行:

TASK: [db | Set user privileges] 
********************************************** 
changed: [dbuser] => (item=*.*:SUPER,RELOAD,SHOW\ DATABASES) 
changed: [dbuser] => (item=somedatabase.*:ALL) 
ok: [dbuser] => (item=someotherdatabase.*:ALL)

结果:

mysql> show grants for 'dbuser'@'localhost'; 
+---------------------------------------------------------------------------------------------------------------+ 
| Grants for [email protected]                     | 
+---------------------------------------------------------------------------------------------------------------+ 
| GRANT USAGE ON *.* TO 'dbuser'@'localhost' IDENTIFIED BY PASSWORD '*2046D2DDAE359F311435E8B4D3776EFE13FB584C' | 
| GRANT ALL PRIVILEGES ON `somedatabase`.* TO 'dbuser'@'localhost'            | 
| GRANT ALL PRIVILEGES ON `someotherdatabase`.* TO 'dbuser'@'localhost'           | 
+---------------------------------------------------------------------------------------------------------------+ 
3 rows in set (0.00 sec)

有谁知道如何:

  1. 设置SUPERRELOADSHOW DATABASE管理。特权?
  2. 使配置幂等?

来源

2014-04-09 Ikar Pohorský

回答

12

终于找到了优雅的解决方案!首先所有的特权应该某处定义为一个列表:

$ cat group_vars/dbservers 
mysql_privileges: 
    - 'somedatabase.*:ALL' 
    - 'someotherdatabase.*:ALL' 
    - '*.*:SUPER,RELOAD,SHOW\ DATABASES'

那么mysql_user插件并不需要追加的特权,只要使用以下格式在documentation提到的权限字符串:mydb.*:INSERT,UPDATE/anotherdb.*:SELECT/yetanotherdb.*:ALL

唯一的诀窍就是列表转换为字符串:

- name: Set user privileges 
    mysql_user: 
    user={{ mysql_user }} 
    password={{ mysql_password }} 
    state=present 
    priv={{ mysql_privileges|join('/') }}

任务的重复运行不说改变了:

TASK: [db | Set user privileges] 
********************************************** 
ok: [dbuser]

来源

2014-04-14 08:05:45

7

发现当切换特权顺序时,我可以授予提及的管理员权限。特权:

- name: Set user privileges 
    mysql_user: 
    user={{ mysql_user }} 
    password={{ mysql_password }} 
    state=present 
    append_privs=yes 
    priv={{ item }} 
    with_items: 
    - 'somedatabase.*:ALL' 
    - 'someotherdatabase.*:ALL' 
    - '*.*:SUPER,RELOAD,SHOW\ DATABASES'

权限按预期设定:

mysql> show grants for 'dbuser'@'localhost'; 
+---------------------------------------------------------------------------------------------------------------------------------------+ 
| Grants for [email protected]                           | 
+---------------------------------------------------------------------------------------------------------------------------------------+ 
| GRANT RELOAD, SHOW DATABASES, SUPER ON *.* TO 'dbuser'@'localhost' IDENTIFIED BY PASSWORD '*2046D2DDAE359F311435E8B4D3776EFE13FB584C' | 
| GRANT ALL PRIVILEGES ON `somedatabase`.* TO 'dbuser'@'localhost'                  | 
| GRANT ALL PRIVILEGES ON `someotherdatabase`.* TO 'dbuser'@'localhost'                 | 
+---------------------------------------------------------------------------------------------------------------------------------------+

虽然任务依然没有幂等。每一轮都给我:

TASK: [db | Set user privileges] 
********************************************** 
changed: [dbuser] => (item=somedatabase.*:ALL) 
ok: [dbuser] => (item=someotherdatabase.*:ALL) 
changed: [dbuser] => (item=*.*:SUPER,RELOAD,SHOW\ DATABASES)

来源

2014-04-09 10:27:16

+1

感谢提'append_privs' – oblalex

1

没有必要与窍门列表中,您可以设置多个以斜杠分隔的特权:

- name: Set user privileges 
    mysql_user: 
    user: {{ mysql_user }} 
    password: {{ mysql_password }} 
    state: present 
    priv: 'somedatabase.*:ALL/someotherdatabase.*:ALL/*.*:SUPER,RELOAD,SHOW DATABASES'

或短:

- name: Set user privileges 
    mysql_user: user={{ mysql_user }} password={{ mysql_password }} state=present priv='somedatabase.*:ALL/someotherdatabase.*:ALL/*.*:SUPER,RELOAD,SHOW DATABASES'

来源

2016-11-15 14:49:57

+0

这绝对是可以的用例之一,但我需要授予的某些数据库权限列表和一个超集一些其他特权数据库。你的方法会导致重复这些“共享”特权。虽然你的解决方案对于更简单的情况已经足够了;)谢谢你的答案! –

相关问题

 相关问题